"Computer information system security protection classification criteria" (GB 17859-1999) is to establish security level protection system, the implementation of important basic standard level of security management, computer information systems will be divided into the following five security levels.
The first level user self-protection level.
By isolating the user data, users have the ability to make independent security protection.
It provides users with a viable means to protect users and user information, avoid other users to read and write data and illegal destruction, the level applicable to ordinary intranet users.
The second level system audit protection level.
Implemented a more granular discretionary access control, which by logging procedures, audit security-related events and resource isolation, the user is responsible for their actions. This class is suitable for non-critical units through intranet or international network for business, the need for confidentiality.
Third-level security protection level mark.
The system has all the features of audit protection level. In addition, the need to provide information security policy model, data labeling and non-compulsory subjects to objects formalization of access control, with the ability to accurately tag output information; eliminate any errors discovered by testing. This class is suitable for all levels of the national bodies of local financial establishments, post and telecommunications, energy and water supply sector, transportation, information technology and large industrial and commercial enterprises, construction of key projects and other units.
Quaternary structure of the protection level.
Builds on the form of a well-defined security policy model, requiring third-level system of discretionary and mandatory access control extended to all subject and object. Also, consider the covert channel. It must be structured as a key element of protection and non-critical protection elements. Computer Information Systems Trusted Computer interface must also be clearly defined, making it more able to withstand the design and implementation of adequate testing and more complete review. Strengthen the authentication mechanism; support functions for system administrators and operators; to provide credible facilities management; enhance the configuration management control. The system has considerable resistance to penetration. This class applies to central-level state organs, radio and television sector, an important material reserves units, emergency social services month, cutting-edge technology enterprise groups, key national research institutes and institutions of national defense construction and other sectors.
The fifth level access validation protection level.
Access Controller meet demand. All Access Access Monitor arbitration subject to the object. Access monitor itself is tamper resistant; must be small enough to analyze and test. In order to meet demand access monitor, computer information systems Trusted Computing in its structure, exclude those who are not the necessary code to implement security policies for; in the design and reality, from the perspective of systems engineering to reduce complexity to a minimum. Support security administrator functions; expanded audit mechanisms, signaling when security-related events occur; provide system recovery mechanisms.
The system has a high resistance to penetration. This class is suitable for critical defense departments and units required by law to special isolation of computer information systems.
Whether business or establishments, should the nature and importance of the sensitivity of the sector, business applications of information their business application information processing system in accordance with the relevant national standards are determined in accordance with the degree of protection of its computer information systems.
Level information system security protection by two rating determinants: level when the protected object by object damage caused by the infringement and the extent of damage to objects.
About two rating, please refer https://blog.csdn.net/u013513053/article/details/101108666